Community Feedback Proposal: Anti-Abuse Measure on Free Plan

I think the best approach is the user need login in bubble instead the password for the demo page

1 Like

Have strict security measures, including the password one, but allow for the bubbler to verify himself through 2FA, phone number, email confirmation, ID verification, credit card verification and once the bubbler is fully “KYC’ed” then this specific bubbler’s apps will not be subject to password and other harsh security restrictions.

Of course no need to implement all of the steps that I said, and feel free to add other steps I did not mentioned, it is just to get the point across.

Almost all of us already have 2FA, credit card and email verified anyway.


this. Have the password for version-test on the free bubble plan, then give the option to remove it while still on the plan if your account is auth with CCARD info or similar. :heavy_check_mark:


I think it’s a pitty to penalize 99% of the users for a 0.001% running the scams.
Moreover, if we’re talking HTTP authentication it can be easily bypassed including the credentials in the URL if I’m not wrong.

Maybe establishing an algorithm scanning keywords on the text elements on the page could be a less penalizing solution ?


For previewing plugin apps it would be great if people who are logged in as bubble users would be able to just skip the showing of the password dialogue (on free apps?)

1 Like

What about a pop up that show up to the users that visit the free site the first time with a disclaimer?

Doesn’t stop the scamers using bubble but with a disclaimer scamming do not work anymore when people see that this is a bubble plattform they are using

In that case, I believe you should enable Backend workflows for free plans. It’s the only way to develop a fully-fledged app without having to subscribe for a plan before we even launch live.

I second this.
I have voted No to the proposal as for plugins developers, who are running theirs demos on Free Plan, this would prevent users to access them without knowing the password.
Providing the password to users would imply to review all Plugins > Showcase posts that can’t be modified further in the past even if you are the author.

Also, allowing access in preview would not be an option, as for demos using third-party APIs, such as AWS or GCP services, plugin developers usually have a demo app able to run with test credentials (editor access disabled to prevent exposing them) and one editor app to show the workflows, without any credentials exposed (editor access as read-only).

@nick.carroll , can you expand on how they are using /version-test to scam and the workflows? Who is the scammer? The app developer I guess? Are they mimicking payment pages for instance? I feel we might put a solution forward without having exactly qualified the problem (at least I am unsure how they are scamming, especially with bubbleapps.iodomain name).

If some Bubble’s users are scammers, then I second @vini_brito’s proposal

why not enabled if specific keywords are detected

1 Like


That’s a very good idea!


I like this idea. Basically, apps created by “verified” accounts - however Bubble wishes to define that (could be as simple as having a CC on file or as elaborate as multi-factor auth) - should not be subject to the password restriction.


It’s a good idea and definitely encourage it. Accounts should be properly verified and password-protected will surely make an impact on bad guys.

Wanted to jump back in here and thank everyone for the great feedback on our proposal. We are taking into account all of the considerations mentioned as we continue to flesh out our proposal here. Will keep the thread updated as things progress on our end. In the mean time, I want to stress that we do not intend to change the behavior for legitimate cases like visiting version-test from the editor or for visiting a plugin or template demo page.


I agree regarding the friction adding a CC requirement would add. I get the reasoning behind it, but I can say as a user that I would more than likely NEVER have started with Bubble if a CC had been required for a free account. That has been a determining factor for me with other great platforms; I like the tool but won’t give my CC info as I don’t have a baseline of trust with the product.

From a privacy and security standpoint, storing CC info unnecessarily is a major concern for me. I’ve had my identity stolen, account info stolen, etc., so I like platforms that enable me to keep my digital footprint small for as long as possible.


What about an approval process like how email API provider Postmark has? But it does seem like a lot of manual work for the Bubble team

It could be gradual. KYC requirements could become more stringent as your app usage increases (or if an anti fraud system detects something odd).


not every country nor builder has a first world credit card to rely on (kids of 15y? Ppl in Brazil)

Oh you mean those developing CAD applications killing our beloved Hobby plan :sweat_smile:?

I think that this is not needed just add a banner saying that this is using the free plan and just a general scam warning

I use free apps as demo pages for plugin all the time. I guess I could just do the

But then wouldn’t scammers just do this also?

Why not a pop up with captcha? Or are captchas just as easily hacked/passed?